Cyber attack casts new light on Georgia invasion

Did the Kremlin employ cyber-criminals to launch an online attack on Georgia, asks Linton Chiswick

BY Linton ChiswickLAST UPDATED AT 09:39 ON Fri 15 Aug 2008

While Russian tanks rolled into Georgian territory on August 8, a simultaneous 'cyber-attack' was turning Georgia's government web pages into a tangle of broken links.

Malicious technological mischief is something of a feature of Eastern European diplomatic relations. But the scale and, particularly, the timing of this cyber-attack, and the existence of a mysterious 'practice attack' a month earlier, pose important questions about the lead-up to the Russia-Georgian conflict.

The modus operandi was tried and tested, familiar to anyone who had watched the attack on Estonia's official web infrastructure in May 2007. An international network of unknowingly infected zombie computers, many of them home PCs like yours or mine, bombarded Georgian government websites with requests, in a systematic 'Distributed Denial of Service Attack'. If enough computers want to visit a webpage at once, the server becomes overwhelmed and shuts down.

The result was a complete cessation of communication between government and people, just as the shells began to land. Other features of the attack included the creation of fake government websites, and the propagandised defacement of the Georgian parliament's site, which carried images comparing Georgian President Mikheil Saakashvili to Adolf Hitler. Desperate, the Ministry of Foreign Affairs was reduced to communicating through a Google-hosted blogging account.

Now security experts are turning their attention to what looks chillingly like a smaller-scale, 'dry run' attack that took place almost a month earlier, before the mainstream media had become aware of just how dangerous a conflict was brewing between Georgia and its giant neighbour.

A blog post on the internet security website Shadowserver, dated July 20, describes a period of more than 24 hours in which "the website of President Mikheil Saakashvili of Georgia (www.president.gov.ge)" was "rendered unavailable due to a multi-pronged distributed denial of service (DDoS) attack."

Sinister? Certainly. A team of experts tracked the 'command and control' server ­ which aimed and coordinated the attack ­ to a location in the US. It had apparently become active only weeks previously, and was believed to be operated from within Russia.

Furthermore, when the full-scale cyber-attack followed, a month later, it too preceded the military action, by a full 24 hours.

Experts agree that the attacks were both launched from Russia, but disagree over attribution of responsibility. Some blame 'hacktivists' - politically motivated Russian nationalists acting individually. But, according to the security adviser and blogger at RBNExploit.com, Jart Armin, the attacks were far too sophisticated to be the work of amateurs.

"Kids don't take control of server chains across Eastern Europe. They don't set up copycat fake official sites. And amateur hacktivists don't or can't purchase and manage the swathes of Turkish server space that have been used for this attack," he told The First Post.

Armin believes the evidence points to the Russian Business Network. This shadowy, St Petersburg-based internet company is believed to provide secure hosting for much of the world's online crime, from illicit pornography to credit card fraud and phishing. It is also believed to control the world's biggest and most powerful 'botnet' - a network of infected zombie computers of a scale necessary to perform destructive cyber-terrorism or cyber-warfare on an entire state.

Links between the attacks and the RBN remain circumstantial. That's the nature of warfare conducted from behind banks of false identities and remotely infected networks of computers. But, during the peak of the attack, while Georgian websites were being hit by hundreds of millions of simultaneous requests, and while there were fake websites to be dismantled and studied, Armin claims enough valuable forensic evidence was left behind to make the connection. The attack was almost too successful for its own good.

The bigger question is one of motivation. The RBN is motivated by profit, not politics. Why would it involve itself in cross-border conflict? Is the RBN renting a network of infected computers to the Russian government?

"Think of it this way," says Armin. "They've become nationalised. The most likely scenario is that they receive immunity for some of their wider activities in return for their help. Can I prove this? No, of course not.

"It's a mixture of speculation and circumstantial evidence. But it's known that the Duma has a specific strategy of cyber-warfare. So who are they going to pick as consultants? The experts who live next door."

At the time of posting this article, the Russians are handing over control to Georgian security forces but the cyberwar still rages. Georgian official websites remain offline, and the Russian government denies all responsibility for any cyber-attacks on the country.

But if, ­ as some believe, ­ the online attack was Duma-sanctioned, the timing of both July's 'dry run' and the launch of the full-scale internet bombardment on August 7 casts a very different light on Russia's claims to have been responding spontaneously to aggression when it decided to send troops into neighbouring Georgia.